vulnerability
Amazon Linux 2023: CVE-2026-3949: Low priority package update for libheif
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 2 | (AV:L/AC:L/Au:S/C:N/I:N/A:P) | Mar 11, 2026 | Apr 7, 2026 | Apr 7, 2026 |
Severity
2
CVSS
(AV:L/AC:L/Au:S/C:N/I:N/A:P)
Published
Mar 11, 2026
Added
Apr 7, 2026
Modified
Apr 7, 2026
Description
A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b5f198b27f375127cd597a35f2113544d03. It is advisable to implement a patch to correct this issue.
Solutions
amazon-linux-2023-upgrade-heif-pixbuf-loaderamazon-linux-2023-upgrade-heif-pixbuf-loader-debuginfoamazon-linux-2023-upgrade-libheifamazon-linux-2023-upgrade-libheif-debuginfoamazon-linux-2023-upgrade-libheif-debugsourceamazon-linux-2023-upgrade-libheif-develamazon-linux-2023-upgrade-libheif-toolsamazon-linux-2023-upgrade-libheif-tools-debuginfo
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.